-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect logic in the ARN matching code #134
Comments
I believe an empty string for those segments is correct in at least in some cases. For example, the ARN for an S3 bucket is |
I know. There are three cases that I know from experience:
I've already updated the logic as follows and am testing those conditions above now.
If the arn part is star, then the resource part cannot be an empty string. |
The arns_parts[] == resource_parts[] portion is technically incomplete according to the documentation: "You can use wildcard characters (* and ?) within any ARN segment ." |
PR for discussion: #135 |
The is_arn_match code is incorrect. An empty string for the Partition, Service, Region, and Account is always assumed to be correct regardless of the resource type.
Example:
Clearly the ARN above is incorrect, but Parliament will only produce RESOURCE_MISMATCH findings for those actions that require resource *.
I double checked that the AWS documentation is correct and that Parliament produces a correct ARN definition:
The offending code is here:
https://github.com/duo-labs/parliament/blob/main/parliament/__init__.py#L130-L138
I'm thinking about how to correct this. I may have a PR in a day or two.
The text was updated successfully, but these errors were encountered: